[openstack-dev] [Nova][TripleO] Nested resources

Clint Byrum clint at fewbar.com
Mon Dec 9 17:47:30 UTC 2013

Excerpts from Fox, Kevin M's message of 2013-12-09 09:34:06 -0800:
> I'm thinking more generic:
> The cloud provider will provide one or more "suballocating" images. The one Triple O uses to take a bare metal node and make vm's available would be the obvious one to make available initially. I think that one should not have a security concern since it is already being used in that way safely.

I like where you're going with this, in that the cloud should eventually
become "self aware" enough to be able to privision the baremetal resources
it has and spin nova up on them. I do think that is quite far out. Right
now, we have two nova's.. an undercloud nova which owns all the baremetal,
and an overcloud nova which owns all the vms. This is definitely nested,
but there is a hard line between the two.

For many people, that hard line is a feature. For others, it is a bug.  :)

> I think a docker based one shouldn't have the safety concern either, since I think docker containerizes network resources too? I could be wrong though.

The baremetal-to-tenant issues have little to do with networking. They
are firmware problems. Root just has too much power on baremetal.
Somebody should make some hardware which defends against that. For now
the best thing is virtualization extensions.

Docker isn't really going to fix that. The containerization that is
available is good, but does not do nearly as much as true virtualization
does to isolate the user from the hardware. There's still a single
kernel there, and thus, if you can trick that kernel, you can own the
whole box. I've heard it descried as "a little better than chroot".
AFAIK, the people using containers for multi-tenant are doing so by
leveraging kernel security modules heavily.

More information about the OpenStack-dev mailing list